Carbon Black sample event messages

Use these sample event messages to verify a successful integration with IBM® QRadar®.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Carbon Black sample message when you use the Syslog protocol

Sample 1: The following sample event message shows a watchlist query that is matching a process.

LEEF:1.0|CB|CB|5.1|alert.watchlist.hit.query.process|alert_severity=50.625	alert_type=watchlist.hit.query.process	alliance_score_srstrust=-100	cb_server=None	childproc_count=1	comms_ip=	computer_name=W7-LOW	created_time=2015-10-29T04:33:06.713157Z	crossproc_count=0	feed_id=-1	feed_name=My Watchlists	feed_rating=3.0	filemod_count=0	group=Default Group	hostname=W7-LOW	interface_ip=	ioc_attr={"highlights": ["PREPREPREacrord32.exePOSTPOSTPOST"]}	ioc_confidence=0.5	ioc_type=query	md5=AD7B9C14083B52BC532FBA5948342B98	modload_count=14	netconn_count=0	os_type=windows	process_guid=00000016-0000-0804-01d1-17153be2e8cd	process_name=cmd.exe	process_path=c:\windows\system32\cmd.exe	regmod_count=0	report_score=75	segment_id=1	sensor_criticality=3.0	sensor_id=22	status=Unresolved	timestamp=1446093201.95	type=alert.watchlist.hit.query.process	unique_id=3ee47556-3e8e-4232-b975-30ba7fbf0037	username=BIT9SEAD\user10	watchlist_id=11	watchlist_name=Unusual Parents
Table 1. Highlighted values in the Carbon Black sample event
QRadar field name Highlighted field names or values in the event payload
Event ID alert.watchlist.hit.query.process
Event Category For this DSM, the value in QRadar is always CarbonBlack
Source IP interface_ip
Username username
Device time created_time